Master the power of ‘Search-ADAccount’ PowerShell cmdlet

Not many Active Directory administrators know that the Search-ADAccount PowerShell cmdlet can perform a number of handy Active Directory operations such as collecting a list of disabled Active Directory accounts, collecting a list of inactive Active Directory accounts, collecting a list of expired accounts, and so on. In this article, we will explain various parameters supported by the Search-ADAccount PowerShell cmdlet and a few examples of using these parameters.

Microsoft provides PowerShell cmdlets to manage Active Directory operations. Almost every aspect of the Active Directory can be managed using these cmdlets. Active Directory PowerShell modules can be installed from the Server Manager on domain controllers, member servers, and client machines. It is not recommended that you perform heavy PowerShell operations from a domain controller. Instead, use a Windows Server or client that is joined to the Active Directory domain.

Search-ADAccount and supported parameters

Search-ADAccount supports several parameters to collect the required details. Traditionally, you had to design a script that will connect to an Active Directory context and then search the required details by checking various Active Directory attributes. By using the predefined parameters with the Search-ADAccount PowerShell cmdlet, it is easy as pie for Active Directory administrators to collect the required details. The parameters that are supported with Search-ADAccount cmdlet are listed in the table below:

Parameter

Description

-AccountExpiring

-AccountExpiring parameter can be used to return accounts that are expiring in the Active Directory. You need to provide value for TimeSpan parameter in the command.

-AccountExpired

-AccountExpired parameter can be used if you wish to retrieve accounts that have been expired in the Active Directory domain.

-AccountDisabled

As the name suggests, use –AccountDisabled parameter if you need to retrieve the list of accounts that are disabled in the Active Directory domain. –AccountDisabled supports two switches; ComputersOnly and UsersOnly. If you wish to retrieve a list of disabled computer accounts, you will use “-ComputersOnly” and to retrieve only disabled user accounts, use “-UsersOnly”.

-AccountInactive

-AccountInactive is used in case you need to retrieve accounts that are inactive in the Active Directory. All you need to do is specify the time span value.

-LockedOut

You would want to use –LockedOut parameter if you needed to get a list of accounts that have been locked out.

-PasswordExpired

-PasswordExpired parameter can be used if you need to retrieve a list of user accounts whose password have expired.

-PasswordNeverExpires

As per the standard security practices, all organization users are required to change their password according to the password policies configured in the Active Directory. In case you need to retrieve a list of user accounts whose password never expires, you will use –PasswordNeverExpires parameter. Usually, service accounts and user accounts which are used by the applications are set to never expire.

Let’s move on to a few examples that use predefined parameters with Search-ADAccount.

Collecting accounts expiring details

When creating user accounts in Active Directory, you can set an expiry date for these accounts. Once the date has expired, the user can no longer log on to a PC that is joined to the Active Directory domain. Generally, the account expiry setting is used for contractors and third-party accounts. In case you wish to get a list of user accounts that are about to expire, you can execute the PowerShell cmdlet below:

As you can see in the above command, Search-ADAccount collects all user accounts that will expire in 10 days. All you need to do is specify a value for the “-TimeSpan” parameter. The output is stored in the C:\TempAccountExpiry.CSV file.

Collecting expired user accounts

While the above command collects accounts that are about to expire, the command below will collect user accounts that have already expired. It is necessary to collect accounts that have expired and move them to a non-production organizational unit or remove them if expired accounts are no longer needed.

The command above stores output in the C:\Temp\AccountsExpired.CSV file, which contains the user account name and ObjectClass such as user or computer.

Collecting disabled user or computer accounts

Active Directory marks an account disabled when the ADAccount Enabled property is set to “False.” You can collect disabled user or computer accounts from Active Directory by using “-AccountDisabled” parameter in the Search-ADAccount cmdlet. “-AccountDisabled” parameter supports two switches: ComputersOnly and UsersOnly. Examples for both switches are shown below:

To retrieve all disabled accounts including computers and users, execute this PowerShell command: